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Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MO NTH (S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1)^ Responsive to communication(s) filed on 25 February 2002 . 
2a)D This action is FINAL. 2b)^ This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-10 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) ^ Claim(s) 1-10 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) ^ The drawing(s) filed on 29 January 2001 is/are: a)E3 accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 



Specification 



1 . The abstract of the disclosure is objected to because the abstract is too long 
(more than 150 words). Correction is required. See MPEP § 608.01(b). 

Applicant is reminded of the proper language and format for an abstract of the 
disclosure. 

The abstract should be in narrative form and generally limited to a single 
paragraph on a separate sheet within the range of 50 to 1 50 words. It is important that 
the abstract not exceed 1 50 words in length since the space provided for the abstract 
on the computer tape used by the printer is limited. The form and legal phraseology 
often used in patent claims, such as "means" and "said," should be avoided. The 
abstract should describe the disclosure sufficiently to assist readers in deciding whether 
there is a need for consulting the full patent text for details. 

The language should be clear and concise and should not repeat information 
given in the title. It should avoid using phrases which can be implied, such as, 'The 
disclosure concerns," "The disclosure defined by this invention," 'The disclosure 
describes," etc. 

Claim Rejections - 35 USC § 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 
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(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international application 
by another who has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371 (c) of this 
title before the invention thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act 
of 1999 (AIPA) and the Intellectual Property and High Technology Technical 
Amendments Act of 2002 do not apply when the reference is a U.S. patent resulting 
directly or indirectly from an international application filed before November 29, 2000. 
Therefore, the prior art date of the reference is determined under 35 U.S.C. 102(e) prior 
to the amendment by the AIPA (pre-AlPA 35 U.S.C. 102(e)). 

3. Claims 1-10 are rejected under 35 U.S.C. 102(e) as being anticipated by Win et al 
(Hereafter, Win), U.S. Pat. No. 6,182,142. 

Regarding claim 1, Win teaches a method for provisioning users with resources 
(= distributed access management of information resources based on the user's role in 
the organization) [see Abstract], the method comprising the steps of: 

establishing a set of attributes, organizational information, and user roles (= 
establishing groups, roles, resources and associations wherein each roles record 
contains a name string, unique identifier, description string and additional fields or 
attributes) [see Col. 13, Lines 25-31 and Col. 13, Line 55 to Col. 14, Line 3] ; 

defining a plurality of resource provisioning policies based on selected attributes, 
organizational information, and user roles (= implementing access rules by defining 
roles that users play when working for an organization or doing business with an 
enterprise) [see Col. 5, Lines 29-53 and Col. 14, Line 5-67 and Col. 15, Line 46 to Col. 
16, Line 14]; 
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receiving attribute information, organizational information, and user role 
information for a particular user, resource, or database (= receiving and storing 
information about users, resources and roles of the users) [see Col. 2, Lines 28-34 and 
Col. 5, Lines 19-21 and Col. 6, Lines 27-29]; 

determining which resource provisioning policies are applicable to the user based 
on the received user role information, organizational information, and attribute 
information (= determining what resources a user can access based on roles and 
functional groups within the organization) [see Col. 5, Lines 46-62]; 

seeking additional information or authorizations from third parties in accordance 
with the applicable resource provisioning policies (= protected server with resources 
protected by the runtime module that decrypts information in the cookies to verify if the 
user is authorized to access to the resource and returns information based on the user's 
name and roles) [see Col. 6, Line 65 to Col. 7, Line 5 and Col. 7, Lines 41-49]; and 

provisioning the user with the resources specified by the applicable resource 
provisioning policies if all necessary additional information or authorizations have been 
received from the third parties (= controlling access to information resource based on 
the user's role in the organization [see Abstract] wherein assigning or deleting a role 
to/from a user can add or delete access to all resources with that role and adding or 
removing a role to/from a resource can give or take away access to that resource from 
all users with that role [see Col. 5, Line 64 to Col. 6, Line 5 and Col. 7, Line 41 to Col. 8, 
Line 8]). 
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Regarding claim 2, Win further teaches the step of receiving attribute information, 
organizational information, and user role information comprising the step of receiving 
input from a user interface (= user interface display wherein a user can enter keywords 
and performs a variety of functions such as creating a new record, entering new data, 
modifying existing data) [see Figs. 10A-10C and Col. 18, Lines 10-67]. 

Regarding claim 3, Win further teaches the step of receiving attribute information, 
organizational information, and user role information for a particular user comprising 
receiving attribute information and user role information from an employee records 
database (= receiving stored information about users, resources and roles of the users 
[see Col. 2, Lines 28-34 and Col. 5, Lines 19-21 and Col. 6, Lines 27-29] by reading 
from the registry repository (110) [see Col. 6, Lines 26-38] wherein each user record 
stores profile information [see Col. 13, Lines 23-36]). 

Regarding claim 4, Win further teaches the step of seeking additional information 
or authorizations from third parties (= authorization from the protected server) [see Col 
7, Lines 41-49] comprising the steps of: 

providing the third party with access to the user interface (= the administration 
application (114) is used to enter information about the protected server via user 
interface screen) [see Col. 7, Lines 53-56]; 

indicating to the third party which information or authorization needs to be 
supplied (= protected server with resources protected by the runtime module that 
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decrypts information in the cookies to verify if the user is authorized to access to the 
resource) [see Col. 7, Lines 41-49 and Col. 8, Lines 32-40 and Col. 8, Lines 45-65]; and 

suspending the provisioning of resources to the user until the additional 
information or authorization is supplied (= if conditions are not satisfied, then the user 
does not have authorization and access to the resource is restricted) [see Col. Col. 8, 
Lines 40-44 and Col. 8, Line 66 to Col. 9, Line 5]. 

Regarding claim 5, Win further teaches the step of seeking additional information 
or authorizations from third parties comprising the steps of: 

receiving first additional information or authorizations from third parties in 
accordance with the applicable resource provisioning policies (= protected server with 
resources protected by the runtime module that decrypts information in the cookies to 
verify if the user is authorized to access to the resource and returns information based 
on the user's name and roles) [see Col. 6, Line 65 to Col. 7, Line 5 and Col. 7, Lines 41- 
49]; and 

seeking second additional information or authorizations from other third parties or 
the user based on the received first additional information or authorizations and the 
received attribute information, organizational information, and user role information (= 
protected server with runtime module is notified of configuration changes and a remote 
configuration service of the runtime module uses the access control library to read 
updated information from the registry server (108) [see Col. 7, Line 66 to Col. 8, Line 8] 
wherein assigning or deleting a role to/from a user can add or delete access to all 
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resources with that role and adding or removing a role to/from a resource can give or 
take away access to that resource from all users with that role [see Col. 5, Line 64 to 
Col. 6, Line 5 and Col. 7, Line 41 to Col. 8, Line 8]). 

Regarding claim 6, Win teaches a system for provisioning users with resources 
(= distributed access management of information resources based on the user's role in 
the organization) [see Abstract], the system comprising: 

a data server for storing a set of attributes, organizational information, and user 
roles (= registry server (108) with registry repository (110) that stores information about 
users, resources and roles of the users [see Col. 6, Lines 27-29] wherein groups, roles, 
resources and associations are established [see Col. 13, Lines 25-31 and Col. 13, Line 
55 to Col. 14, Line 3]), a plurality of resource provisioning policies based on selected 
attributes, organizational information, and user roles, and attribute information and user 
role information for a particular user or resource (= implementing access rules by 
defining roles that users play when working for an organization or doing business with 
an enterprise) [see Col. 5, Lines 29-53 and Col. 14, Line 5-67 and Col. 15, Line 46 to 
Col. 16, Line 14]; and 

one or more processors coupled to the memory and an organizational network 
[see Fig. 2], the processors programmed for 

determining which resource provisioning policies are applicable to the stored 
user role information, organizational information, and attribute information (= 
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determining what resources a user can access based on roles and functional groups 
within the organization) [see Col. 5, Lines 46-62], 

seeking additional information or authorizations from third parties in accordance 
with the applicable resource provisioning policies (= protected server with resources 
protected by the runtime module that decrypts information in the cookies to verify if the 
user is authorized to access to the resource and returns information based on the user's 
name and roles) [see Col. 6, Line 65 to Col. 7, Line 5 and Col. 7, Lines 41-49], and 

provisioning a user with the resources specified by the applicable resource 
provisioning policies if all necessary additional information or authorizations have been 
received from the third parties (= controlling access to information resource based on 
the user's role in the organization [see Abstract] wherein assigning or deleting a role 
to/from a user can add or delete access to all resources with that role and adding or 
removing a role to/from a resource can give or take away access to that resource from 
all users with that role [see Col. 5, Line 64 to Col. 6, Line 5 and Col. 7, Line 41 to Col. 8, 
Line 8]). 

Regarding claim 7, Win further teaches a user interface for inputting the attribute 
information and user role information for a particular user or resource (= user interface 
display wherein a user can enter keywords and performs a variety of functions such as 
creating a new record, entering new data, modifying existing data) [see Figs. 10A-10C 
and Col. 18, Lines 10-67]. 
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Regarding claim 8, Win further teaches a system as recited in claim 6, the data 
server further including an employee records database for storing attribute information 
and user role information for a particular user (= receiving stored information about 
users, resources and roles of the users [see Col. 2, Lines 28-34 and Col. 5, Lines 19-21 
and Col. 6, Lines 27-29] by reading from the registry repository (110) [see Col. 6, Lines 
26-38] wherein each user record stores profile information [see Col. 13, Lines 23-36]). 

Regarding claim 9, Win further teaches the processor further programmed for: 

providing the third party with access to the user interface (= the administration 
application (114) is used to enter information about the protected server via user 
interface screen) [see Col. 7, Lines 53-56]; 

indicating to the third party which information or authorization needs to be 
supplied (= protected server with resources protected by the runtime module that 
decrypts information in the cookies to verify if the user is authorized to access to the 
resource) [see Col. 7, Lines 41-49 and Col. 8, Lines 32-40 and Col. 8, Lines 45-65]; and 

suspending the provisioning of resources to the user until the additional 
information or authorization is supplied (= if conditions are not satisfied, then the user 
does not have authorization and access to the resource is restricted) [see Col. Col. 8, 
Lines 40-44 and Col. 8, Line 66 to Col. 9, Line 5]. 



Regarding claim 10, Win further teaches the processor further programmed for: 
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receiving first additional information or authorizations from third parties in 
accordance with the applicable resource provisioning policies (= protected server with 
resources protected by the runtime module that decrypts information in the cookies to 
verify if the user is authorized to access to the resource and returns information based 
on the user's name and roles) [see Col. 6, Line 65 to Col. 7, Line 5 and Col. 7, Lines 41- 
49]; and 

seeking second additional information or authorizations from other third parties or 
the user based on the received first additional information or authorizations and the 
stored attribute information, organizational information, and user role information (= 
protected server with runtime module is notified of configuration changes and a remote 
configuration service of the runtime module uses the access control library to read 
updated information from the registry server (108) [see Col. 7, Line 66 to Col. 8, Line 8] 
wherein assigning or deleting a role to/from a user can add or delete access to all 
resources with that role and adding or removing a role to/from a resource can give or 
take away access to that resource from all users with that role [see Col. 5, Line 64 to 
Col. 6, Line 5 and Col. 7, Line 41 to Col. 8, Line 8]). 



4. The following references cited by the examiner but not relied upon are 
considered pertinent to applicant's disclosure. 

A) Cheng, U.S. Pat. No. 6,067,548, discloses dynamic organization model and 
management computing system. 



Other References Cited 
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B) Schneider et al, U.S. Pat. No. 6,408,336, discloses distributed administration of 
access to information. 

C) Ginn, U.S. Pat. No. 6,052,723, discloses aggregating control on an electronic 
network by creating groups of users and determining policy for groups of users. 

D) Barkley, U.S. Pat. No. 6,088,679, discloses workflow management employing 
role-based access control. 

E) Hudson et al, U.S. Pat. No. 6,055,637, discloses resource access control system 
with user's assigned role and unique identifier. 

F) Du et al, U.S. Pat. No. 5,826,239, discloses distributed workflow resource 
management. 

G) Barkley et al, U.S. Pat. No. 6,202,066, discloses role/group permission 
association using object access type. 

H) Kuhn, U.S. Pat. No. 6,023,765, discloses implementation of role-based access 
control in multi-level secure systems. 

I) Ueno et al, U.S. Pat. No. 6,237,036, discloses generating access control lists. 
J) Fisher et al, U.S. Pat. No. 6,085,191 , discloses providing database access 

control in a secured distributed network. 

K) Deinhart et al ( European Patent Application No. EP 0697662A1, discloses role- 
based access control in distributed and centralized computer system. 

L) Hitchens et al, "Design and Specification of Role Based Access Control Policies", 
IEEE, Aug. 2000, discloses role-based access control policies. 
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M) Tari et al, "A Role-Based Access Control For Intranet Security", discloses role- 
based access control. 

5. A SHORTENED STATUTORY PERIOD FOR RESPONSE TO THIS ACTION IS 
SET TO EXPIRE THREE MONTHS, OR THIRTY DAYS, WHICHEVER IS LONGER, 
FROM THE MAILING DATE OF THIS COMMUNICATION. FAILURE TO RESPOND 
WITHIN THE PERIOD FOR RESPONSE WILL CAUSE THE APPLICATION TO 
BECOME ABANDONED (35 U.S.C. § 133). EXTENSIONS OF TIME MAY BE 
OBTAINED UNDER THE PROVISIONS OF 37 CAR 1.136(A). 

6. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Philip Tran whose telephone number is (703) 308-8767. 
The Group fax phone number is (703) 872-9306. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Hosain T. Alam, can be reached on (703) 308-6662. 

Any inquiry of a general nature or relating to the status of this application should 
be directed to the Group receptionist whose telephone number is (703) 305-3900. 




Philip B. Tran 
Art Unit 21 55 
May 24, 2004 



